Google has identified a new cybercrime group that specializes in providing initial access to target networks through highly customized, non-automated phishing campaigns and appears to have a working relationship with FIN12, a well-known Russian cybercrime gang.
Unlike many other groups of this kind, the team that Google uncovered doesn’t use automated email tools to spam out generic messages with boilerplate subject lines and body text. Rather, this group, which Google has named Exotic Lily, takes the time to research its potential target organizations, set up new domains that spoof legitimate companies, and then send customized lures and establish communications with people inside the organization to build trust before eventually sending malware-laden files to the victims and gaining access to the network. Exotic Lily’s tactics are more closely aligned with those of APT groups rather than an initial access broker.
“We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation,” Vlad Stolyarov and Benoit Sevens of Google’s Threat Analysis Group said in a post.
“Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.”
Exotic Lily is part of the emerging crop of initial access brokers, individuals or groups that specialize in compromising organizations and then sell that access to other cybercrime groups. Some cybercrime organizations have their own teams that specialize in initial access, there is a growing number of independent teams like Eoxtic Lily that work on gaining access to specific organizations. In the case of Exotic Lily, the group looks to have ties specifically with FIN12, a financially motivated cybercrime group that is known for targeting health care organizations in ransomware attacks.
“While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,” Stolyarov and Sevens said.
Exotic Lily has used a variety of tactics in its campaigns, including setting up new domains to spoof legitimate ones, often using TLDs such as .US or .CO rather than .COM. The group then sets up personas and creates email accounts before sending out the customized phishing messages to victims. They then attempt to set up meetings or send business proposals as a way of creating a relationship with the victim.
“At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges,” Stolyarov and Sevens said.
Exotic Lily has employed a couple of different strains of malware in its campaigns, notably BazarLoader. But the group also has sent malicious documents with an exploit for the CVE-2021-40444 vulnerability in MSHTML, which was a zero day at the time the group used it.